The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

What should my File Permissions be?

OK!

I have a part on my site where I use something like a clickthru.php script so that all clickthrus from my site to others get counted and put into a database plus it also hides the link to the external site.

I am giving quite a few clickthru's to other sites, but I have just had an email from someone that seems to keep getting errors.

When they click-thru from my site to another they get a forbidden error on the actually clickthru.php script page.

Unfortunately they do not have permission to access this page on my server. But they should be able to access it as it is just like a normal page, they don't need to have authorization to access it.

So I was wondering if changing the file permissions, would that work.

At the moment the file permissions are set to: 644 on the clickthru.php page. This is: -rw-r--r--

Do I need to change it to make them access it as I really need everybody to access every page on my site especially this one. If I don't then there is most likely to be more people like this one who are also having problems accessing it, which is then losing me money and visitors.

So changing the permissions to that will then allow every body to access the click.php script. What about security risks. Would there be a higher security risk.

Also would I have to change the directory to that as well. Also why can people access every other page apart from that one. Is it because when the script is called it also writes to MySQL as it increases the number that the associated link is clicked by 1.

You will have to change the directory permissions if they are not allowing the user to read or access it's contents. If the directory isn't accessible, it's contents won't be either. You shouldn't have any security problems so long as nobody has access to these files except through your web server, which will send only the output whenever they are requested.

744 should work for all of your html files and others that don't require execution. Because Your php needs to be executed, and not just read, it needs 755. This will be your experience with scripts.

What about php files that are just pulling information from a mysql database and then just displaying it to the user.

What permissions should these be. I have them all at 644 at the moment, which means I can write to them but the user can really only read them.

Should I also change all of these files permissions as wells.

People can see them just like normal webpages, but as some people could have access to the clickthru script then maybe they some of are also having a few problems with looking at a few of my normal pages that just pulls and displays information from a mysql database.

HardCoded, this was the first thing I had to overcome when I started hosting myself... I've had it up for a while now. The first thing I read was to set php scripts to 755 and others at 744. I don't see how the forbidden error doesn't have something to do with file permissions! I think it's got just as much to do with them as htaccess configurations. If your server can't read the files or execute the scripts, it can't display them.

Heck, what if you chmod -R 722 your htdocs directory? Nobody's going to be able to read those files, other than the owner, which isn't the nobody user apache runs under. The only other way to change that, from what I understand, is to set "nobody" as the owner of the directory and its contents. Anybody with ssh enabled will have a field day trying to protect their server if they do that...

This isn't an attack, it's just that you're proposing something I haven't yet heard of, and I'm curious... Please give more information,

I think you are remembering wrong. I have a whole server full of perfectly running PHP scripts that are all 644. What I do remember way back when was forgetting to 755 the home directory after adding a user and a new virtual host.

And try an experiment. Try setting a test.php chmod 600 and then browse to it. You don't get forbidden. You get a PHP error in your logs, that says it couldn't open the stream.

So all that's needed is the read permissions... I remember reading that I needed to change the permissions to 755... I'm trying to figure out why I'm remembering it not working until I changed the permissions to 755... oh well...

Ah.

"
* For generic files such as html or images, etc you usually need to set 644 permissions. It is because "nobody" needs to read the file, and thus the file should be readable by others, hence 4 (read only) permissions for both group and others. For yourself you need a right to read and write (hence 6) to the file.
* For scripts you need 755 rights. The script should be executable by "nobody". The script file should also be readable by "nobody", as the file is interpreted by an interpreter such as Perl and therefore must be readable. Thus it must combine read and execute permissions for "others", as "nobody" belongs to "others" group. For yourself you need to have also write access, getting 755 as a result. "

-http://www.zzee.com/solutions/unix-permissions.shtml

I was probably looking at something for bash scripts when I learned of it... But still, the above link is one of a few that I just found that say you should change permissions to 755 for web server scripts. I hate that such misleading information is so widely available, and I'm sorry for propogating false information.

When trying to figure out my problem I also thought that it was to do with the file permissions which was causing the forbidden error. But now I realise that has nothing to do with it when I went to the permissions and messed around with them setting them to 0 just to see what would happen.

All I could see was an empty page. I didn't see any 403 error.

I have also used 644 permissions on most of my scirpts for quite a while and they all work just the click.php script and another script is giving me a few problems. But after the better man "HardCoded" looked into the situation, he found out that it is to do with a piece of software installed on the server and nothing to do with my scripts.